LoFP LoFP / legitimate platform components and node agents may query the metadata service. validate by namespace, labels and workload identity; suppress expected sources and alert on atypical pods or namespaces.

Techniques

Sample rules

Cisco Isovalent - Access To Cloud Metadata Service

Description

The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical.

Detection logic

`cisco_isovalent_process_connect` 
| rename process_connect.parent.binary as binary 
| `excluded_cloud_binaries`

| stats count 
        min(_time) as firstTime 
        max(_time) as lastTime 
        values(dest_port) as dest_port
        values(src_ip) as src_ip
    by cluster_name pod_name pod_image_name pod_namespace node_name dest_ip

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_isovalent___access_to_cloud_metadata_service_filter`